Invoke-Command in DSC resources

Last week I was helping a fellow IT Pro at a customer troubleshooting an Windows Azure Pack DSC resource.
We were getting errors we could not explain, but when running the code manually from our ISE everything went alright.
Eventually we pinned it down to a section of the code where we needed to get a True back, when instead we got a False.
There was one thing in our troubleshooting that triggered me…

When executing it through DSC, it failed.When executing it by hand, it succeeded.

If you execute it via DSC, it runs in a system context.
Sure, you can define credentials, but there is no option for user interaction the moment the code hits the client.
So my guess was that there seemed to be something in the Azure DSC resource that required user interaction… and we started looking.
We didn’t find anything that required user interaction.
But there was something else. We used the DSC resources before… when installing all of the WAP roles on a single server.
And we had no issues with that. None at all!

So… what does not require user input, but works under a user context and doesn’t under a system context? …and has in any way a correlation between having all roles installed on a single server or spreading them out over multiple servers?
PowerShell Remoting!

As we found out, the Invoke-Command cmdlet was used all over the Azure DSC resources!
… and not to connect to remote devices, simply to execute code on the local machine.
After changing the code of the DSC resource and removing all the Invoke-Command entries in there, it worked like a charm! 🙂

Invoke-Command in a DSC Resource
First: Invoke-Command basically is build on top of PowerShell Remoting. If you don’t need it, don’t use it. There are other ways of executing code locally 😉
In my personal opinion, there is no reason to use Invoke-Command in a DSC resource.

Didn’t the author test this?
I guess he/she did. We only discovered this issue when we wanted to install Windows Azure Pack roles on separate servers instead of installing all of them on one server.
So when the author tested the resource, all roles were probably installed on a single server and no issue would appear 😉

*** UPDATE ***

Here’s a list of the Invoke-Command entries I’ve found over all x* DSC resources my customer is using:

5 comments

Hi Jeff, nice troubleshooting.
Please log an issue on GitHub so Microsoft is made aware.
Or even better, since you changed the code already, fork the repo and do a pull request of your enhancements / fixes!
Benefits for everyone 🙂

Hi Ben 🙂
Customer doesn’t allow me to put any more time in this, we have a project deadline.
Blog post was quick to make people aware.
Did a quick scan on all MSFT resources… it involves 132 entries over all their DSC resources… 🙁
Will try to find some time to fix it this week during the evenings 🙂

Customer doesn’t allow me to put any more time in this, we have a project deadline.
Blog post was quick to make people aware.
Did a quick scan on all MSFT resources… it involves 132 entries (updated the post above) over all their DSC resources…
Will try to find some time to fix it this week during the evenings